Got it

[Gateway Whiz]Connecting IPhone to Headquarters Through L2TP over IPSec Highlighted

Latest reply: Apr 9, 2018 18:01:53 2057 3 0 0 0

Hi, everyone! Today I’m going to introduce connecting iPhone to headquarters through L2TP over IPSec

Specifications

This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements

Traveling employees access the enterprise network from different locations, and they want to communicate with the headquarters frequently. As shown in Figure 1-1, traveling employees connect to the headquarters by dialing up using their iPhones, and the headquarters can authenticate and manage access users. In addition, communication between the traveling employees and headquarters is encrypted to prevent information leakage.

Figure 1-1 Connecting iPhones of mobile office users to the headquarters through L2TP over IPSec

20170524213211749001.png

 

note

The commands used to configure IKE peers and the IKE protocol differ depending on the software version.

l  In earlier versions of V200R008:

ike peer peer-name [ v1 | v2 ]

l  In V200R008 and later versions:

l  To configure IKE peers: ike peer peer-name

l  To configure the IKE protocol: version { 1 | 2 }

By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.

Procedure

                      Step 1    Configure the Router.

#
 sysname Router
#
 l2tp enable   //Enable L2TP.
#
acl number 3101   //Configure the IP address segment that permits IPSec encryption.
 rule 5 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.1.0 0.0.0.255
#
ipsec proposal tran1   //Configure the authentication and encryption algorithms for the IPSec proposal.
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
#
ike proposal 10   //Configure the authentication, encryption, and DH group algorithms for the IKE proposal.
 encryption-algorithm aes-128   //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.
 dh group14                       
 authentication-algorithm sha2-256  
#
ike peer a   //Set the pre-shared key of the IKE peer to Admin@123.
 pre-shared-key cipher %^%#/[$;=)q~,Fj9_s4|M>R9S%]QG,x&[6X]4"@eOs{E%^%#
 ike-proposal 10
#
ipsec policy-template policy_temp 1   //Configure an IPSec policy template and reference related parameters.
 security acl 3101
 ike-peer a
 proposal tran1
#
ipsec policy policy1 10 isakmp template policy_temp   //Configure an IPSec policy and associate it with the IPSec policy template.
#
ip pool 1   //Configure the device to allocate IP addresses to L2TP clients from the IP address pool.
 gateway-list 10.2.1.1  
 network 10.2.1.0 mask 255.255.255.0 

aaa   //Configure AAA local authentication and set the user name and password to vpdnuser and Hello123.
 authentication-scheme l2tp 
 domain l2tp 
  authorization-scheme l2tp
 local-user vpdnuser password cipher %^%#!~$GMN5Gj=j&f)IjQ8\>~b\-1"i^b@~.)+,2gi9K%^%#
 local-user vpdnuser privilege level 0                                          
 local-user vpdnuser service-type ppp

interface GigabitEthernet1/0/1
 ip address 1.1.1.2 255.255.255.0
 ipsec policy policy1   //Bind an IPSec policy to the interface and enable IPSec.
#
interface GigabitEthernet1/0/2
 ip address 10.1.1.1 255.255.255.0
#
interface Virtual-Template1   //Create a VT template and configure dial-up parameters.
 ppp authentication-mode chap domain l2tp   //Configure an authentication mode and specify that authentication information carries the domain name.
 remote address pool 1   //Reference the IP address pool.
 ip address 10.2.1.1 255.255.255.0
#
l2tp-group 1   //Create an L2TP group and configure L2TP connection parameters.
 undo tunnel authentication   //Dial up using a mobile phone. You are advised to disable tunnel authentication.
 allow l2tp virtual-template 1
#
ip route-static 3.3.3.0 255.255.255.0 1.1.1.1
ip route-static 10.1.1.0 255.255.255.0 Virtual-Template1

return

                      Step 2    Configure the iPhone.

20170524213213614003.png

note

Set Account and Password to vpdnuser and Hello123 configured on the Router. Set Secret to the IPSec pre-shared key Admin@123 configured on the Router.

                      Step 3    Verify the configuration.

Enable VPN connection on the iPhone. You can find that the VPN connection is established successfully.

Run the display l2tp tunnel command on the Router. You can find that an L2TP tunnel is established successfully.

Run the display ike sa command on the Router. You can find that an SA is established successfully.

After the configuration is complete, the traveling employee and the headquarters can exchange encrypted data.

----End

Configuration Notes

l   The pre-shared key for IKE negotiation at both ends must be the same.

l   Tunnel authentication must be disabled on the Router if the L2TP client does not support tunnel authentication.

 

 If you have any problems, please post them in our Community. We are happy to solve them for you!

  • x
  • convention:

user_2790689
Created May 25, 2017 06:44:19

thank you
View more
  • x
  • convention:

AnilChaulagain
Created Jan 7, 2018 18:54:18

What if the IPHONE is getting private IP address behind the NAT.
View more
  • x
  • convention:

wissal
MVE Created Apr 9, 2018 18:01:53

clear and useful document, thanks
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.